[isapros] Re: Customizing Lockdown Policy
- From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
- To: "isapros@xxxxxxxxxxxxx" <isapros@xxxxxxxxxxxxx>
- Date: Sat, 20 May 2006 12:30:21 -0700
Not for RDP - at least, it's never been that for any installation I've done.
It's always been from "Remote Management Computers" for me. I've had to add
Internal Network to the FROM tab each time.
t
On 5/20/06 12:27 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> spoketh to
all:
> You sure the default System Policy isn't Internal to Local Host?
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
>
>
>
>> -----Original Message-----
>> From: isapros-bounce@xxxxxxxxxxxxx
>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
>> (Hammer of God)
>> Sent: Saturday, May 20, 2006 2:13 PM
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re: Customizing Lockdown Policy
>>
>> But if you edit the system policy, you can change the
>> "to/from" on those
>> defined rules. For instance, the default RDP system policy is not "
>> Allowing Remote Desktop Protocol (RDP) from Internal to Local
>> Host" as you
>> have below - it is RDP from the default "Remote Management Computers"
>> Computer Set. This set is empty by default unless you
>> installed ISA via
>> RDP, in which case it automatically populates the box you
>> installed it from
>> (which is pretty damn smart, if you asked me.)
>>
>> If you wanted RDP from Internal to LH available while the
>> system was in
>> lockdown, you would have to edit the system policy for
>> Terminal Services
>> (RDP.)
>>
>> t
>>
>>
>> On 5/20/06 12:11 PM, "Thomas W Shinder"
>> <tshinder@xxxxxxxxxxx> spoketh to
>> all:
>>
>>> Hi Jim,
>>>
>>> I thought lockdown policy was limited to:
>>>
>>> * Allowing hosts in the Internal network element to access the
>>> Local Host network element using the firewall's
>> administration protocol.
>>> * Allowing Remote Desktop Protocol (RDP) from Internal to Local
>>> Host.
>>> * Allowing ICMP ping from Internal to Local Host.
>>> * Allowing DHCP from any host to Local Host.
>>> * Outgoing traffic from the firewall to any destination
>>> * Traffic that already has a connection element (this allows
>>> stopping the firewall service without disrupting existing
>> connections)
>>> * Traffic that is to/from the allowed range determined by using
>>> FWENGMON
>>>
>>> Thanks!
>>> Tom
>>>
>>> Thomas W Shinder, M.D.
>>> Site: www.isaserver.org
>>> Blog: http://blogs.isaserver.org/shinder/
>>> Book: http://tinyurl.com/3xqb7
>>> MVP -- ISA Firewalls
>>>
>>>
>>>
>>>> -----Original Message-----
>>>> From: isapros-bounce@xxxxxxxxxxxxx
>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
>>>> Sent: Saturday, May 20, 2006 1:52 PM
>>>> To: isapros@xxxxxxxxxxxxx
>>>> Subject: [isapros] Re: Customizing Lockdown Policy
>>>>
>>>> Sorta.
>>>> Lockdown allows all the system policy traffic.
>>>> Thus, if you want to change the traffic profile for lockdown,
>>>> you can do
>>>> it via system policy management.
>>>>
>>>> It's not as flexible as array policies, but it covers
>> 99.444% of what
>>>> the ISA admin needs to bring the server back to life.
>>>>
>>>> -----Original Message-----
>>>> From: isapros-bounce@xxxxxxxxxxxxx
>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx]
>>>> On Behalf Of Thomas W Shinder
>>>> Sent: Saturday, May 20, 2006 11:45 AM
>>>> To: isapros@xxxxxxxxxxxxx
>>>> Subject: [isapros] Customizing Lockdown Policy
>>>>
>>>> Hey guys,
>>>>
>>>> I know there is a default lockdown policy, but I was
>> wondering while
>>>> watering the flowers this morning if there was a method to
>>>> customize the
>>>> lockdown policy, other than using FWENGMON ?
>>>>
>>>> Thanks!
>>>> Tom
>>>>
>>>> Thomas W Shinder, M.D.
>>>> Site: www.isaserver.org <http://www.isaserver.org/>
>>>> Blog: http://blogs.isaserver.org/shinder/
>>>> Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
>>>> MVP -- ISA Firewalls
>>>>
>>>>
>>>>
>>>> All mail to and from this domain is GFI-scanned.
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>
>>
>>
>>
>>
>
>
>
Other related posts:
